linux-toradex.git/net/mac80211, branch v2.6.27.24 Linux kernel for Apalis and Colibri modules mac80211: fix a buffer overrun in station debug code 2009-02-17T17:46:29+00:00 Jianjun Kong jianjun@zeuux.org 2008-11-11T05:37:39+00:00 e90d4b294fe2f8bcb0f3caf1c0ce1931a2818198 commit 013cd397532e5803a1625954a884d021653da720 upstream. net/mac80211/debugfs_sta.c The trailing zero was written to state[4], it's out of bounds. Signed-off-by: Jianjun Kong <jianjun@zeuux.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 013cd397532e5803a1625954a884d021653da720 upstream.

net/mac80211/debugfs_sta.c
The trailing zero was written to state[4], it's out of bounds.

Signed-off-by: Jianjun Kong <jianjun@zeuux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
mac80211: decrement ref count to netdev after launching mesh discovery 2009-02-02T16:28:07+00:00 Brian Cavagnolo brian@cozybit.com 2009-01-17T03:04:49+00:00 803f9eb9987e92e1b4c382c33892ec623d821d1d commit 5dc306f3bd1d4cfdf79df39221b3036eab1ddcf3 upstream. After launching mesh discovery in tx path, reference count was not being decremented. This was preventing module unload. Signed-off-by: Brian Cavagnolo <brian@cozybit.com> Signed-off-by: Andrey Yurovsky <andrey@cozybit.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 5dc306f3bd1d4cfdf79df39221b3036eab1ddcf3 upstream.

After launching mesh discovery in tx path, reference count was not being
decremented.  This was preventing module unload.

Signed-off-by: Brian Cavagnolo <brian@cozybit.com>
Signed-off-by: Andrey Yurovsky <andrey@cozybit.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
ath9k/mac80211: disallow fragmentation in ath9k, report to userspace 2008-10-22T21:21:05+00:00 Johannes Berg johannes@sipsolutions.net 2008-10-16T19:05:12+00:00 f76f2408cccf448917c8a2a2b775571fd60aee30 commit 4233df6b748193d45f79fb7448991a473061a65d upstream As I've reported, ath9k currently fails utterly when fragmentation is enabled. This makes ath9k "support" hardware fragmentation by not supporting fragmentation at all to avoid the double-free issue. The patch also changes mac80211 to report errors from the driver operation to userspace. That hack in ath9k should be removed once the rate control algorithm it has is fixed, and we can at that time consider removing the hw fragmentation support entirely since it's not used by any driver. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 4233df6b748193d45f79fb7448991a473061a65d upstream

As I've reported, ath9k currently fails utterly when fragmentation
is enabled. This makes ath9k "support" hardware fragmentation by
not supporting fragmentation at all to avoid the double-free issue.
The patch also changes mac80211 to report errors from the driver
operation to userspace.

That hack in ath9k should be removed once the rate control algorithm
it has is fixed, and we can at that time consider removing the hw
fragmentation support entirely since it's not used by any driver.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
mac80211: fix two issues in debugfs 2008-10-18T17:49:11+00:00 Johannes Berg johannes@sipsolutions.net 2008-10-10T15:52:49+00:00 60b216fffd66fc2ad2824a05d6838aff6b59d827 Not in trees above 2.6.27 as it is fixed differently in .28. This fixes RHBZ 466264, whenever the master interface is renamed this code would BUG_ON. Also fixes a separately reported bug with the debugfs dir being NULL. This patch is not applicable to the next kernel version because both these issues have been fixed, the first one by not having the master interface have a ieee80211_ptr at all, and the second one by also leaving the function early. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: John Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
Not in trees above 2.6.27 as it is fixed differently in .28.

This fixes RHBZ 466264, whenever the master interface is
renamed this code would BUG_ON. Also fixes a separately
reported bug with the debugfs dir being NULL.

This patch is not applicable to the next kernel version
because both these issues have been fixed, the first one
by not having the master interface have a ieee80211_ptr
at all, and the second one by also leaving the function
early.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: John Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Revert "mac80211: Use IWEVASSOCREQIE instead of IWEVCUSTOM" 2008-09-05T19:38:09+00:00 Linus Torvalds torvalds@linux-foundation.org 2008-09-05T19:38:09+00:00 bf7394ccc13fe291d9258f01113b4c61214ddeae This reverts commit 087d833e5a9f67ba933cb32eaf5a2279c1a5b47c, which was reported to break wireless at least in some combinations with 32bit user space and a 64bit kernel. Alex Williamnson bisected it to this commit. Reported-and-bisected-by: Alex Williamson <alex.williamson@hp.com> Acked-by: John W. Linville <linville@tuxdriver.com> Cc: David Miller <davem@davemloft.net> Cc: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
This reverts commit 087d833e5a9f67ba933cb32eaf5a2279c1a5b47c, which was
reported to break wireless at least in some combinations with 32bit user
space and a 64bit kernel.  Alex Williamnson bisected it to this commit.

Reported-and-bisected-by: Alex Williamson <alex.williamson@hp.com>
Acked-by: John W. Linville <linville@tuxdriver.com>
Cc: David Miller <davem@davemloft.net>
Cc: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mac80211: Fix debugfs union misuse and pointer corruption 2008-09-02T21:39:50+00:00 Jouni Malinen jouni.malinen@atheros.com 2008-08-28T12:12:06+00:00 2b58b209399844995ad48e421267e359e16c03db debugfs union in struct ieee80211_sub_if_data is misused by including a common default_key dentry as a union member. This ends occupying the same memory area with the first dentry in other union members (structures; usually drop_unencrypted). Consequently, debugfs operations on default_key symlinks and drop_unencrypted entry are using the same dentry pointer even though they are supposed to be separate ones. This can lead to removing entries incorrectly or potentially leaving something behind since one of the dentry pointers gets lost. Fix this by moving the default_key dentry to a new struct (common_debugfs) that contains dentries (more to be added in future) that are shared by all vif types. The debugfs union must only be used for vif type-specific entries to avoid this type of pointer corruption. Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> 
debugfs union in struct ieee80211_sub_if_data is misused by including a
common default_key dentry as a union member. This ends occupying the same
memory area with the first dentry in other union members (structures;
usually drop_unencrypted). Consequently, debugfs operations on
default_key symlinks and drop_unencrypted entry are using the same
dentry pointer even though they are supposed to be separate ones. This
can lead to removing entries incorrectly or potentially leaving
something behind since one of the dentry pointers gets lost.

Fix this by moving the default_key dentry to a new struct
(common_debugfs) that contains dentries (more to be added in future)
that are shared by all vif types. The debugfs union must only be used
for vif type-specific entries to avoid this type of pointer corruption.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
mac80211: quiet chatty IBSS merge message 2008-08-27T00:33:34+00:00 John W. Linville linville@tuxdriver.com 2008-08-27T00:33:34+00:00 576fdeaef631976c3afcb1d78ef196051282611d It seems obvious that this #ifndef should be the opposite polarity... Signed-off-by: John W. Linville <linville@tuxdriver.com> 
It seems obvious that this #ifndef should be the opposite polarity...

Signed-off-by: John W. Linville <linville@tuxdriver.com>
mac80211: don't send empty extended rates IE 2008-08-27T00:06:33+00:00 Jan-Espen Pettersen sigsegv@radiotube.org 2008-08-25T18:29:22+00:00 8ab65b03b7893da4a49009e7e356e36e27b0c407 The association request includes a list of supported data rates. 802.11b: 4 supported rates. 802.11g: 12 (8 + 4) supported rates. 802.11a: 8 supported rates. The rates tag of the assoc request has room for only 8 rates. In case of 802.11g an extended rate tag is appended. However in net/wireless/mlme.c an extended (empty) rate tag is also appended if the number of rates is exact 8. This empty (length=0) extended rates tag causes some APs to deny association with code 18 (unsupported rates). These APs include my ZyXEL G-570U, and according to Tomas Winkler som Cisco APs. 'If count == 8' has been used to check for the need for an extended rates tag. But count would also be equal to 8 if the for loop exited because of no more supported rates. Therefore a check for count being less than rates_len would seem more correct. Thanks to: * Dan Williams for newbie guidance * Tomas Winkler for confirming the problem Signed-off-by: Jan-Espen Pettersen <sigsegv@radiotube.org> Signed-off-by: John W. Linville <linville@tuxdriver.com> 
The association request includes a list of supported data rates.

802.11b: 4 supported rates.
802.11g: 12 (8 + 4) supported rates.
802.11a: 8 supported rates.

The rates tag of the assoc request has room for only 8 rates. In case of
802.11g an extended rate tag is appended. However in net/wireless/mlme.c
an extended (empty) rate tag is also appended if the number of rates is
exact 8. This empty (length=0) extended rates tag causes some APs to
deny association with code 18 (unsupported rates). These APs include my
ZyXEL G-570U, and according to Tomas Winkler som Cisco APs.

'If count == 8' has been used to check for the need for an extended rates
tag. But count would also be equal to 8 if the for loop exited because of
no more supported rates. Therefore a check for count being less than
rates_len would seem more correct.

Thanks to:
 * Dan Williams for newbie guidance
 * Tomas Winkler for confirming the problem

Signed-off-by: Jan-Espen Pettersen <sigsegv@radiotube.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
mac80211: Fix debugfs file add/del for netdev 2008-08-27T00:06:33+00:00 Jouni Malinen j@w1.fi 2008-08-25T08:57:06+00:00 93015f0f34e81a47c4126329746ce5f364bafd11 Previous version was using incorrect union structures for non-AP interfaces when adding and removing max_ratectrl_rateidx and force_unicast_rateidx entries. Depending on the vif type, this ended up in corrupting debugfs entries since the dentries inside different union structures ended up going being on top of eachother.. As the end result, debugfs files were being left behind with references to freed data (instant kernel oops on access) and directories were not removed properly when unloading mac80211 drivers. This patch fixes those issues by using only a single union structure based on the vif type. Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> 
Previous version was using incorrect union structures for non-AP
interfaces when adding and removing max_ratectrl_rateidx and
force_unicast_rateidx entries. Depending on the vif type, this ended
up in corrupting debugfs entries since the dentries inside different
union structures ended up going being on top of eachother.. As the
end result, debugfs files were being left behind with references to
freed data (instant kernel oops on access) and directories were not
removed properly when unloading mac80211 drivers. This patch fixes
those issues by using only a single union structure based on the vif
type.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/mesh.c: correct the argument to __mesh_table_free 2008-08-27T00:06:32+00:00 Julia Lawall julia@diku.dk 2008-08-23T16:27:38+00:00 667d8af9af775a5fea203890978037ea750816cc In the function mesh_table_grow, it is the new table not the argument table that should be freed if the function fails (cf commit bd9b448f4c0a514559bdae4ca18ca3e8cd999c6d) The semantic match that detects this problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @r exists@ local idexpression x; expression E,f; position p1,p2,p3; identifier l; statement S; @@ x = mesh_table_alloc@p1(...) ... if (x == NULL) S ... when != E = x when != mesh_table_free(x) goto@p2 l; ... when != E = x when != f(...,x,...) when any ( return \(0\|x\); | return@p3 ...; ) @script:python@ p1 << r.p1; p2 << r.p2; p3 << r.p3; @@ print "%s: call on line %s not freed or saved before return on line %s via line %s" % (p1[0].file,p1[0].line,p3[0].line,p2[0].line) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: John W. Linville <linville@tuxdriver.com> 
In the function mesh_table_grow, it is the new table not the argument table
that should be freed if the function fails (cf commit
bd9b448f4c0a514559bdae4ca18ca3e8cd999c6d)

The semantic match that detects this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@r exists@
local idexpression x;
expression E,f;
position p1,p2,p3;
identifier l;
statement S;
@@

x = mesh_table_alloc@p1(...)
...
if (x == NULL) S
... when != E = x
    when != mesh_table_free(x)
goto@p2 l;
... when != E = x
    when != f(...,x,...)
    when any
(
return \(0\|x\);
|
return@p3 ...;
)

@script:python@
p1 << r.p1;
p2 << r.p2;
p3 << r.p3;
@@

print "%s: call on line %s not freed or saved before return on line %s via line %s" % (p1[0].file,p1[0].line,p3[0].line,p2[0].line)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>